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Abstract 

A wait-free hierarchy maps object types to levels in Z+ U { 00 } , and has the following 
property: if a type T is at level N t and V is an arbitrary type, then there is a wait- 
free implementation of an object of type T', for N processes, using only registers and 
objects of type T. The infinite hierarchy defined by Herlihy is an example of a wait-free 
hierarchy. A wait-free hierarchy is robust if it has the following property: if T is at level 
N , and S is a finite set of types belonging to levels N — 1 or lower, then there is no 
wait-free implementation of an object of type T, for N processes, using any number and 
any combination of objects belonging to the types in S. Robustness implies that there 
are no clever ways of combining weak shared objects to obtain stronger ones. 

Contrary to what many researchers believe [AGTV92, AR92, Her91a], we prove 
that Herlihy’s hierarchy is not robust. We then define some natural variants of Herlihy’s 
hierarchy, which are also infinite wait-free hierarchies. With the exception of one, which 
is still open, these are not robust either. We conclude with the open question of whether 
non- trivial robust wait-free hierarchies exist. 


•Research supported by NSF grants CCR-8901780 and CCR-9102231, DARPA/NASA Ames grant NAG- 
2-593, grants from the IBM Endicott Programming Laboratory and Siemens Corp. 
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1 Introduction 


A concurrent system consists of asynchronous processes communicating via typed shared 
objects such as registers, test&sets, and queues. Since any given system supports only a 
limited set of object types in its hardware, other useful types will need to be implemented 
in software. Thus, implementing an object of a given type using objects belonging to a 
given set of types is a fundamental problem. To be useful, implementations must guarantee 
linearizability [HW90]: concurrent accesses on an implemented object must appear to take 
effect in some sequential order. One way to ensure linearizability is to implement shared 
objects using critical sections [CHP71]. This approach however is not fault-tolerant: the 
crash of a process while in the critical section of an implemented object can permanently 
prevent the remaining processes from accessing the object. This lack of fault-tolerance led 
to the concept of wait-free implementations [Lam77]. An implementation is wait-free if 
every process can complete every operation on the implemented object in a finite number of 
its own steps, regardless of the execution speeds of the remaining processes. In particular, if 
object O is built using a wait-free implementation, then the crash of some processes cannot 
disable the remaining processes from completing their operations on O. 

How feasible are wait-free implementations? It is known that registers are too weak to 
implement 1 even a 2- process consensus object, i.e., a consensus object that is accessed by 
at most two processes [LAA87, CIL87]. Test&sets and 1-bit read-modify-write objects can 
implement a 2-process consensus object, but not a 3-process consensus object [LAA87]. 3- 
valued read-modify-write, on the other hand, can implement an A-process consensus object, 
for all A . These results indicate that object types differ in their ability to support wait-free 
synchronization, and that there may be a way of ordering them accordingly. This issue was 
addressed in a seminal paper by Herlihy [Her88, Her91b]. Following are some important 
definitions and results in [Her91b]. 

1. For every object type T, an object of type T can be implemented for A processes 
using only registers and A-process consensus objects. This is the universality result 
of Herlihy. 

2. For every A > 1, (A + l)-process consensus object cannot be implemented using just 
registers and A-process consensus objects. 

3. The consensus number of a shared object O is the maximum number A such that an 
A-process consensus object can be implemented using just O and (any number of) 
registers. Define a hierarchy of shared objects such that O is at level A if and only if 
its consensus number is A. This will be referred to as Herlihy’s hierarchy. 

As an obvious consequence of the universality result, Herlihy’s hierarchy has the fol- 
lowing important property: if an object O of type T is at level A, then for every object type 
T', an object of type T' can be implemented for A processes using just registers and objects 
of type T. We will call any hierarchy with this property a wait-free hierarchy. Thus, in a 

'Hereafter “implementation” stands for “wait-free implementation”. 
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wait-free hierarchy such as Herlihy’s, if an object O of type T is at level N , we can immedi- 
ately infer that arbitrary wait-free synchronization among N processes is feasible using just 
registers and objects of type T. Notice that this definition allows O to be at level N even if 
arbitrary wait-free synchronization among more than N processes is feasible using registers 
and objects of the type of O. Thus, the level of an object in a wait-free hierarchy does 
not reflect the object’s full potential; it is only a lower bound on the extent to which the 
object can support arbitrary wait-free synchronization. To understand the exact potential 
of objects, we define a tight wait-free hierarchy. In such a hierarchy, an object O is at level 
jV If JV i s the maximum number of processes for which arbitrary wait-free synchronization 
is feasible using registers and objects of the type of O. 

What other properties are important in a hierarchy? We argue below that robustness is 
one. A hierarchy is robust if for every object O, the following holds: if O is at level N, then 
it is impossible to implement O for N processes using any number and any combination of 
objects at levels N - 1 or lower. Robustness guarantees that there are no clever ways of 
putting weak objects together to implement a strong one. We now present an example to 
illustrate the significance of robustness in analyzing the power of shared primitives. Consider 
two systems Si and S 2 ■ Suppose that Si supports only registers and testtsets, and S 2 
supports only registers with 3-register assignment. Herlihy showed that arbitrary wait- 
free synchronization is impossible for 3 or more processes in Si, and for 5 or more processes 
in S 2 . What implications do these results have on a third system S 3 which supports both 
test&sets, and registers with 3-register assignment? In particular, can we conclude, 
based on just the above results, that arbitrary wait-free synchronization among 5 processes is 
still impossible? We can, provided that Herlihy’s hierarchy is robust. Otherwise we cannot. 
More generally, if Herlihy’s hierarchy is robust, the consensus number of a set of objects, 
belonging (possibly) to different types, is just the maximum of the consensus numbers of the 
individual objects in the set. Thus, robustness reduces the difficult problem of analyzing the 
power of a combination of shared objects to the simpler problem of analyzing the power of 
the individual objects. On the other hand, if robust wait-free hierarchies do not exist, then 
there is a possibility of combining weak objects to implement strong ones. In particular, 
it opens up the possibility of implementing universal objects from non-universal objects! 
Thus, from a pragmatic point of view, it would also be interesting to prove that robust 
wait-free hierarchies do not exist. 

Is Herlihy’s hierarchy robust? A study of this question with respect to common object 
types, such as register, testfcset, fetchftadd, queue, compareftswap, and sticky-bit, 
does not present any evidence to the contrary. In fact, many prominent researchers have 
attributed robustness to Herlihy’s hierarchy [AGTV92, AR92, Her91a] 2 We prove that it 

2 [AGTV92] states “An object has a consensus number k if k is the maximum number of processes for 
which the object can be used to solve the consensus problem. Thus objects with higher consensus number 
cannot be deterministically implemented by employing objects with lower consensus numbers.” 

[AR92] states “In fact, Herlihy [Her88] describes a full hierarchy of atomicity assumptions, and proves 
that atoms of a higher class cannot be implemented by those of a lower class, in a wait-free fashion in the 

deterministic setting.” „ , 

[Her91a] states “Elsewhere [17, 15], we have shown that any object X can be assigned a consensus number, 
which is the largest number of processes (possibly infinite) that can achieve consensus asynchronously [13] by 
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is not robust. More specifically, we present an object type T sp with the property that k 
objects of this type, together with registers, can implement a (k + l)-process consensus 
object, but not a (k + 2)-process consensus object. In particular, one T sp object, with 
registers, can implement a 2-process consensus object, but not a 3-process consensus object. 
Thus, by definition, a T sp object has a consensus number of 2, and is consequently at 
level 2 in Herlihy’s hierarchy. However, since multiple T Bp objects, with registers, can 
implement a consensus object for arbitrarily large number of processes, it follows from 
Herlihy’s universality result that for all types T and all N , an object of type T can be 
implemented for N processes using just registers and T Bp objects. Together with the fact 
that a T Bp object is at level 2, this implies that Herlihy’s wait-free hierarchy is not robust. 

Does there exist a robust wait-free hierarchy? We do not know the answer yet. However, 
we define three natural variants of Herlihy’s hierarchy, which are also infinite wait-free hier- 
archies. We prove that two of these are not robust. 3 The third hierarchy, whose robustness 
is still open, has the following property: if it is not robust, then there is no robust wait-free 
hierarchy. We believe that resolving the robustness of this hierarchy is an important open 
problem in wait-free synchronization. 

This paper is the first to formalize and study robustness. The technical arguments 
involved in proving the impossibility result that k T 8 p objects cannot implement a (k + 2)- 
process consensus object are novel. Traditional bivalency arguments are inadequate to prove 
such lower bounds. 


2 Informal model 

A concurrent system consists of processes and shared objects. We write (Pi , . . . , P n \ 0 \ 9 . . M C 
to denote a concurrent system consisting of processes P \ , . . . , P n and shared objects 0\ , . - • , 0 
Besides a unique name, every object has two attributes: a type and a positive integer which 
denotes the maximum number of processes which may apply operations on that object. 
We say that O is an JV-process object if N is the maximum number of processes which 
may apply operations on O . The type specifies the behavior of the object when operations 
are applied sequentially, without overlap. More precisely, an object type T is a tuple (OP, 
RES , G ), where OP and RES are sets of operations and responses respectively, and G is a 
directed finite or infinite multi-graph in which each edge has a label of the form (op, res) 
where op € OP and res e RES . We refer to G as the sequential specification of T, and the 
vertices of G as the states of T . Intuitively, if there is an edge, labeled (op, res), from state 
a to state o', it means that applying the operation op to an object in state a may change 
the state to a* and return the response res . 

applying operations to a shared A. It is impossible to construct a non-blocking implementation of any object 
with consensus number n from objects with lower consensus numbers in a system of n or more processes, 
although any object with consensus number n is universal (it supports a wait-free implementation of any 
other object) in a system of n or fewer processes.” 

3 In proving this, we show the following result which is interesting in its own right. There exist two types 
such that (i) Even 2-process consensus cannot be solved using objects of either type, and (ii) //-process 
consensus (for all N ) can be solved using the two types of objects together. 


m • 
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A sequence S = (opi, res\), {op 2 , res 2 ), • • - , {opi,resj) is legal from state o ofT if there 
is a path labeled S in G from the state a. T is deterministic if for every state a of T 
and every operation op € OP, there is at most one edge from o labeled {op, res) (for some 
res € RES). T is non- deterministic otherwise. T is total if for every state a of T and every 
operation op € OP, there is at least one edge from a labeled {op, res) (for some res € RES). 
In this paper, we restrict our attention to total types. 

An A-process object O of type T supports the set of procedures Apply(P,,op, O), 
for all 1 < i < N and op € OP{T). A process P invokes operation op on object O 
by calling Apply(P, op, O), and executes the operation by executing this procedure. The 
operation completes when the procedure terminates. The response for an operation is the 
value returned by the procedure. We denote the event of P invoking operation op on O by 
inv{ P, op, O), and the event of O returning a response v to P by resp{P,v,0). 

The type of an object, by itself, is not sufficient to characterize the behavior of the 
object in the presence of concurrent operations. To characterize such behavior, we use the 
concept of linearizability [HW90]. Roughly speaking, linearizability requires every opera- 
tion execution to appear to take effect instantaneously at some point in time between its 
invocation and response. We make it more precise below. 

Consider a concurrent system S = {Pi,P 2 ,- • -,Pn]0\,02, • ■ -,O m ). A configuration 
of S is a tuple consisting of the states of the processes Py, . . . , P n and the states of the 
objects Ox, • • ■ , 0 m . An execution E of S is a sequence Co, eo, Cy, ey, C 2 , ej, . . ., where C, s 
are configurations of S, C 0 is the initial configuration, e,’s are events, and C,+i is the 
configuration that results when event e< occurs in configuration C;. The history in E is the 
subsequence of events in E. The history of object O in E is the subsequence of events of 
O in E. If e and e' are two events in a history H, we write e <h «' if e is before e’ in 
H . A complete operation in II is a pair of events in H an invocation and its matching 
response. An incomplete operation in H is an invocation that has no matching response. 
H is complete if it has no incomplete operations. If op and op 1 are two operations in H , we 
write op <n op' if the response of op is before the invocation of op' in H. Two operations 
op and op 1 are concurrent if neither op <h op 1 nor op' <h op. H is sequential if it has no 
concurrent operations. 

Let H be a history of object O. A linearization of H is a complete sequential history 
S with the following properties: 

1. S includes every complete operation in H. 

2. Let inv{Pi,op,0) be an invocation in H with no matching response (and is thus an 
incomplete operation). Then, either S does not include this incomplete operation or 
5 includes a complete operation {inv{Pi,op,0),resp{Pi,v,0)) for some v. 
Intuitively, this captures the notion that some incomplete operations in H had a 
“visible” effect, while the others did not. 

3. S includes no operations other than the ones mentioned in 1 or 2. 

4. For all operations op, op' in S, if op <n op' then op <s op'. 
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Thus, the order of non-overlapping operations in H is preserved in S . 

Notice that a given history may have several linearizations. A history H of object 0 is 
linearizable with respect to type T, initialized to state & , if H has a linearization which is 
legal from state cr of X . 

Processes are asynchronous : there are no bounds on the relative speeds of processes. 
Furthermore, a process may crash : a process may stop at an arbitrary point in an execution 
and never take any steps thereafter. A process is correct in an execution E if it does not 
crash in E. We assume that every correct process has an infinite number of events in an 
infinite execution. An object 0 is wait-free in an execution E if either (i) E is finite, or (ii) 
every invocation on 0 from a process that does not crash in E has a matching response. 

Let T be an object type and C = (X x ,X 2 ,...) be a (possibly infinite) list of (not 
necessarily distinct) object types. Let E = (^ 1 ^ 2 ? . . .) be a list where cr, is a state of type 
T|. An implementation ofT f initialized to state o, from (j C,E)/ or N processes is a function 
1(01, 0 2 , . . .) such that if 0 1? 0 2 , - . . are JV-process objects of type X x ,X 2 ,..., initialized to 
states <t x ,<t 2 ,..., respectively, then 0 = X(0 x ,0 2 ,...) is an A-process object of type X, 
initialized to a. Intuitively, X(0 x , 0 2 , . . .) returns a set of procedures Apply(P;, op, 0), for 
1 < i < N and op G OP(X). Apply (P t , op, 0) specifies how process P, should “simulate” 
the operation op on 0 in terms of operations on 0 X ,0 2 , • • - We say 0 is a derived object 
of the implementation X, and 0i, 0 2 , . . . , 0 n are the base objects of 0. 

We say that J is an implementation ofT, initialized to state < 7 , from a set $ of types 
for N processes if there is a list C = (X x , T 2 , . . .) of types and a list E = (<7 X , o 2 , , , of states 
such that T{ € S , o t is a state of X t , and X is an implementation of X, initialized to o, from 
(£,E) for N processes. We say that a type T has an implementation from a set S of types 
for N processes if for every state a of X, there is an implementation of X, initialized to o’, 
from S for N processes. 

An implementation is wait-free if it has the following property: if all base objects are 
wait-free in an execution £, then the derived object is wait-free in E . Hereafter when we 
write “implementation”, it stands for “wait-free implementation”. 

We now define consensus and register — two object types that appear frequently 
in this paper. Type consensus supports two operations: propose(O) and propose(l). The 
sequential specification of consensus is in Figure 1. From the specification, it is clear that a 
consensus object 0 has the following properties: (i) If 0 returns a response v , then there is 
an invocation of propose(t;) preceding this response, and (ii) 0 returns the same response 
to all operations. These are known as the validity and agreement properties, respectively, of 
a consensus object. Sometimes we refer to the consensus problem for processes P\ , P 2 , . . . P n * 
This problem is stated as follows. Each process P t is initially given a binary input u t . Each 
correct process P, must eventually decide a value d, such that (i) d{ G {v x , v 2 , . . . , v n ), and 
(ii) VI < i, j < n : d{ = dy These two conditions are commonly referred to as the validity 
and agreement requirements of the consensus problem. 

Type register supports the operations {read} U {write(u)|u > 0}, and has the se- 
quential specification given in Figure 2. 
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OP = {propose(u)|u € {0, 1}} 
Object State: 

*€{±, 0 , 1 } 

propose(v) 

if X — ± then 
X := v 
return(X) 


Figure 1: Sequential specification of consensus 


OP = {read} U {write(v)|v > 0} 
Object State: 

x e {o,i,2,...} 

read() 

return(X) 

write(v) 

X :=v 

return(acfc) 


Figure 2: Sequential specification of register 


3 Hierarchy Preliminaries 

A hierarchy of shared types is a function that maps object types to levels in {1, 2, 3, . . .} U 
{oo}. An object type T is at level l in hierarchy h if h(T) = l. A hierarchy is non-trivial 
if it has at least two non-empty levels. An object type T is universal for N processes if 
for every type T', there is an implementation of T from {T, register} for N processes. T 
is universal ( for oo processes) if for all N, T is universal for N processes. A hierarchy h 
is a wait-free hierarchy if for all T, h(T) = N implies that T is universal for N processes. 
Thus, in a wait-free hierarchy, the level of T is a lower bound on the number of processes 
for which T (together with registers) can support arbitrary wait-free synchronization. The 
following proposition is immediate from the definition. 
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Proposition 3.1 If h is a wait-free hierarchy , and h f is a hierarchy such that VT : h (T) < 
h(T), then h* is a wait-free hierarchy. 

Proposition 3.2 If h is a wait-free hierarchy , then /i(register) = 1. Thus , level 1 of any 
wait-free hierarchy is non-empty. 

Proof There exist object types (for example, queue) which have no implementation from 
register for two or more processes [Her91b]. Thus, register must be at level 1 in any 
wait-free hierarchy. ^ 

From Proposition 3.1, it is clear that there can be “slack” in a wait-free hierarchy. 
This motivates us to define tightness. A wait-free hierarchy h is tight if for every wait-free 
hierarchy ti and every type T, h(T ) > ti(T). A wait-free hierarchy is fully-refined if for all 
levels k € {1, 2, 3, . . .} U {oo}, there is some type in level k . A wait-free hierarchy h is robust 
if for every type T and every finite set S of types, if h(T) = N and VT ; € S : h(T f ) < AT, 
then there is no implementation of T from S for N processes. The reader should note the 
difference between tightness and robustness. The trivial wait-free hierarchy which maps 
every object type to level 1 is obviously robust, but not tight. The wait-free hierarchy h£ 
(to be defined soon) is tight, but it is not known whether it is robust. 

In the remainder of this section, we define some natural wait-free hierarchies, and high- 
light some simple properties of these hierarchies. In the following definitions, the subscript 
indicates whether the definition allows just 1 or many objects of the argument type. The 
superscript r indicates that the definition allows the use of registers. 

1. hi(T) = maximum number of processes for which a consensus object can be imple- 
mented using just a single object of type T. If there is no such maximum, then 
hi(T) = oo. 

2. hi(T) = maximum number of processes for which a consensus object can be imple- 
mented using just a single object of type T and any number of registers. If there is 
no such maximum, then h^(T) = oo. 

Notice that this is Herlihy’s hierarchy. 

3. h m(T) = maximum number of processes for which a consensus object can be imple- 
mented using any number of objects of type T. If there is no such maximum, then 
h,(T) = oo. 

4. h i(T) = maximum number of processes for which a consensus object can be imple- 
mented using any number of objects of type T and any number of registers. If there 
is no such maximum, then h £(T) = oo. 

Proposition 3.3 Each o/hi,h^,h„h£ is a fully-refined wait-free hierarchy. 

Proof Herlihy’s universality result trivially implies that these are wait-free hierarchies. 
That these are fully-refined follows from the easy observation that V/i € {hi,h|,h*,hj} and 
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OP = {propose(t>)|t> € {0, 1}} 
Object State: 

X € {-L)0, 1} 

N6 { 0 , 1 , 2 ,...} 

propose(v) 

N := N + 1 
if X = ± then 
X := v 

if N < k then 
return(X) 
else return(-L) 


Figure 3: Sequential specification of k- cons 


k e {1, 2, 3, . . .} U {oo}, /i(it-cons) = k. (See Figure 3 for the definition of the type fc-conB.) 
□ 

Proposition 3.4 hj [(T) = N < oo if and only ifT is universal for N processes, but not 
for N + 1 processes. h£(T) = oo if and only if T is universal. 

Proposition 3.5 If h is a tight wait-free hierarchy, then h = hj. In other words, hjj is the 
unique wait-free hierarchy which is tight. 

The hierarchy hj is uniquely important in the study of robust wait-free hierarchies. To 
formally state this, we need a definition. Let a = Huh****) be a finite/infinite sequence 
such that 1 «/,< /a </»... and fi € {1,2,3,...} U {oo}. We say g is a coarsening of 
hierarchy h with respect to o if, for all object types T , we have: 

1. If /, < h(T ) < /,+!, then g(T) = 

2. If /, < h(T) and /, is the last element of o , then g(T) = 

3. If h(T ) = oo and o is infinite, then g(T) = oo. 

Intuitively, levels U ... (/,+ 1 - 1) in fi are lumped into level U of g, causing levels 
(/. q. i) ... (f i+1 _ l) to be empty in g. We say g is a coarsening of a hierarchy h if there is 
a*<r of the form 1 = li < l 2 < h • • • such that g is a coarsening of h with respect to o. It is 
obvious that if h is a wait-free hierarchy, so is every coarsening of h. 

Theorem 3.1 If h is a robust wait-free hierarchy, then h is a coarsening of h£. 
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Proof Assume that h is a robust wait-free hierarchy, and is not a coarsening of hj. Let 
<r = (/i, Z 2) • • -)» where 1 = < l 2 < h • • • are all the non-empty levels of h. Define g to be 

the coarsening of h£ with respect to o . From our assumption that h is not a coarsening of 
hj, it follows that h ^ g. Thus, there is a type T such that h(T ) ^ <7(-0* m ~ 
and n = g(T). By definition of g, a level k of g is non-empty if and only if level k of h 
is non-empty. Together with m ^ n, this implies that there exist types V and T", each 
different from T, such that g(T') = m and h(T") = n. Since m / n, we are left with two 
cases to consider. 

1. m < n. 

Since g{T) = n, it follows that h l(T) > n . Thus, by Proposition 3.4, T is universal for 
n processes. In particular, there is an implementation of T n from {T, register} for 
n processes. Since h(T) = m < n = h is not robust. This is a contradiction. 

2. m > n. 

From the above, g(T r ) = m. Thus, level m of g is not empty. This, together with 
m > n, implies that n < hJ(T) < m. This implies, by Proposition 3.4, that T is 
not universal for m processes. Since h(T ) = m, it follows that h is not a wait-free 
hierarchy. This is a contradiction. 

This completes the proof of the theorem. D 

What can we say about the robustness of hi,h^, and h M ? This question is addressed 
by the following proposition. 

Proposition 3.6 Let h 6 {hi,hf,h M }. If h / h£, then h is neither tight nor robust. 

Proof Proposition 3.5 implies that h is not tight. Theorem 3.1 and Proposition 3.3 imply 
that h is not robust. a 

Does one of hi,h^, and h m define the same hierarchy as h£? The answer is not easy. For 
instance, differs from hj if and only if there is a type such that multiple objects of this 
type (together with registers) can solve consensus among a larger number of processes than 
a single object (together with registers) can. Does such a type exist? No common object 
type exhibits such a property and, hence, it is a non-trivial question. Similarly, h. differs 
from h£ if and only if there is a type such that the use of registers increases the number 
of processes for which consensus can be solved using objects of this type. Again, common 
object types do not exhibit this property, making it difficult to answer whether such types 
exist. 

In the rest of the paper, we prove that each of hi,hj, and h* differs from h£. Thus, 
none of hi,h^, and h m is robust. In particular, hj, which is the same as Herlihy’s wait-free 
hierarchy, is not robust. Unfortunately, we do not yet know whether h£ or some coarsening 
of it is robust. This is an important open question. We hope that the ideas employed in 
this paper would provide useful insights. 
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(L-op, R-first ) 
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(L-op, L-first) 




Figure 4: Object type T 8 ticky 


4 On the robustness of h\ (Herlihy’s hierarchy) 

The main result of this section is that is not robust. We prove this result by presenting 
an object type T 8p with the following property: n T sp objects, together with registers, can 
implement a consensus object for n + 1 processes, but not for n + 2 processes. This implies 
h^(T sp ) = 2 and h£(T sp ) = oo. Thus, ^ hj, and by Proposition 3.6, is not robust. 

Consider the object type T 8t icky in Figure 4. It supports two operations, L-op and 
R-op, and responds with either L-first or R-first. If L-op is applied on a T 8t icky object 
O, initialized to state S±, O changes state to Sl and returns L-first as the response. 
Furthermore, O returns L-first to all subsequent operations, reflecting the fact that L-op 
was the first operation applied on O. The behavior is symmetric if, instead of L-op, R-op 
was the first operation applied on O. In essence, the first operation “sticks” to O and 
determines the response for all operations. Notice that T 8 ticky I s similar to the consensus 
[Her91b] and sticky-bit [Plo89] object types. 

Now consider the type T sp , a variant of T 8 ticky, shown in Figure 5. T Bp lacks the 
symmetry of T 8 ticky : If R-op is applied to a T 8p object O, initialized to S±, R-op sticks to 
O as before. However, as soon as R-op is applied for the second time, it “unsticks” and O 
starts behaving as though it had been stuck with L-op all along. The following is a trivial 
consequence of the definition of T 8p . 

Lemma 4.1 Let O be an object of type T 8p initialized to Sj_. Let E be an execution in 
which R-op is applied at most once on O. Then, the following statements are true in E. 

1. If T\ and Ti are the responses to any two operations on O, then r\ = r%. 

2. If O returns a response D-first (D e {L,R}), then an invocation of D-op precedes this 

response. 


4.1 Implementing consensus from {T 8p , register) upper bound 

In this section, we show how to implement a consensus object for n processes using (n — 1) 
T sp objects and 2(n - 1) registers. Our implementation is recursive. Let denote the 
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(L-op, L- first) 
(R-op, L- first) 


(L-op, R- first) 




(R-op, L- first) 


Figure 5: Object type T sp 


O n - 1 : consensus object for P \ , P 2 , ■ . . , P n -i > derived from X n -\ 
0 ap : Tap object, initialized to S± 

L, R: binary registers 


Apply (Pi, propose Vj, O n ) (for 1 < t < n — 1) Apply (P „, propose v n , On) 


1. L := Apply (P,, propose t>„ O n - 1 ) 

2. if Apply(Pi, L-op , 0 4p ) = L-first 

3. return(Z) 

4. else return(P) 


R • — 

if Apply(P„, P-op, 0 4p ) = L-first 
return(i) 
else return(P) 


Figure 6: Implementing consensus with Tap and register 


implementation of consensus from {T 8p , register} for processes Pi, P 2 , • • •, Pj- The base 
case is to derive Ii, implementation of consensus for the single process Pi, and is trivial: 
if Oi is a derived object of l u Apply(Pi, propose v r , Oi) simply returns v v The recursive 
step of deriving l n from I„_i is presented in Figure 6. 

Lemma 4.2 The implementation I n in Figure 6 is a correct implementation of consensus 
from {T sp , register} for processes P a ,P 2 , . . .,P„. T n requires (n - 1) objects of type T 8p 
and 2(n - 1) registers. 

Proof We prove the correctness of T n by induction. The following is the induction hy- 
pothesis: for 1 < j < n - 1, Tj is a correct implementation of consensus for processes 
Pi,P 2 ,. . .,P- The base case, namely, that Ii (described above) is a correct implementa- 
tion of consensus for Pi, is obvious. The induction step is proved through several simple 
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claims. Let O n be a derived object of 1„. Consider an execution E of the concurrent sys- 
tem (Pi,P 2 ,---,P n ]O n ). Assume that each P, executes Apply(P„ propose t\, O n ) at most 
once in E . 4 We make the following claims about E. The proof of each claim follows its 
statement. 

Cl. For D € {L,R}, the following holds: 

1. Every process that writes the register D, writes the same value V in D. 

2. If D = L,V e Otherwise, V = v n . 

For D = R, the claim is obvious since only P n writes R. For D = L, the claim follows 
from the agreement and validity properties of O n - 1 • 

C2. Some process completes a write on D before any process receives the response D-first 
from O sp . 

By Lemma 4.1, some process, say Pk, invokes D-op before any process receives the 
response D-first. By the implementation, this process Pk will have completed a write 
on the register D before invoking D-op on 0, v . 

Consider, for arbitrary i,j and i # j, the executions of Apply(P„, propose t>{, O n ) 
and Apply (Pj, propose vj, O n ) in E. By Lemma 4.1, the responses received by P, and Pj 
from O ap (in Statement 2 of their respective executions) are the same. Let D-first be this 
response (for some D € {L,R}). Thus, in Statement 3, both Apply(P,, propose u,, O n ) 
and Apply (Pj, propose vj, O n ) read and return the value in the register D. From Claims 
C2 and Cl, it follows that both Apply (P,, propose v,-, O n ) and Apply(P,, propose vj, O n ) 
read the same value V in D and that V € {vj, V 2 , .. .,«»»}• Thus, the value returned by 
both Apply(P t , propose O n ) and Apply(Pj, propose Vj, O n ) is the same and is from 
{t>j, u 2 i . . . , v n ). It is obvious that the implementation is wait-free. Hence the lemma. □ 

Corollary 4.1 hJ(T 8p ) = oo. 

4.2 Implementing consensus from {T Bp , register) — lower bound 

The main technical result of this section states that any solution to n-process wait-free 
consensus using T 8p objects and registers requires at least n — 1 T 8p objects, regardless of 
how many registers are available. We prove this result by reducing the “1 -resilient consensus 
problem for n processes communicating via registers 5 ” to the “wait-free consensus problem 
for n processes communicating via registers and (n — 2) T 8p objects”. The former problem is 
impossible to solve [LAA87]. Hence the impossibility of the latter. The reduction is based 
on the novel concept of k-trap implementations. 

4 This is not a limitation for the following reason. After Pi executes A PP ly(P;, propose v,, O n ) once, it 
can record the return value in its local variable. Thereafter, when Pi needs to a PP ly a propose o P eration on 
O n , it may sim P ly return the value of this local variable as the res P onse. This strategy works because O n 
is a consensus object, and therefore must return the same res P onse to every invocation. 

5 A P rotocol is k-resilient if it meets the P roblem specification des P ite the crash of k or fewer processes. 
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4.2.1 k-trap implementations 

An implementation for processes P u P 2 ,...,P n is a k-trap implementation if every de- 
rived object O of the implementation has the following property: in any execution of 
(P 1 ,P 2 ,...,P n ', O), regardless of the relative execution speeds of processes, all but up to k 
correct processes will be able to eventually complete their operations on O. In other words, 
O appears wait-free to all but up to k correct processes. 

We now contrast lb-trap implementations with the familiar wait-free, non-blocking, 
and critical- section based implementations. Critical-section based implementations and 
non-blocking implementations (for n processes) are both (n — l)-trap implementations. A 
critical-section based implementation is (n — l)-trap because the crash of a single process in 
the critical section blocks the remaining (n - 1) processes. A non-blocking implementation 
is (n — l)-trap because repeated execution of operations by one process could cause the 
remaining processes to block. The converse does not hold: an (n - l)-trap implementation 
does not guarantee the properties of either a critical-section based implementation or a non- 
blocking implementation. To see this, suppose that exactly one process, say P, attempts 
to access the object, and suppose that P is correct. In the case of a critical-section based 
implementation or a non-blocking implementation, P is guaranteed to complete its operation 
on the object. But in a A:-trap implementation (k > 1), P may block. Finally, note that a 
0-trap implementation is the same as a wait-free implementation. 

The following lemma establishes the utility of fc-trap implementations in proving lower- 
bounds. 

Lemma 4.3 Let T be any object type such that for every state a of T, there is a 1-trap 
implementation of T, initialized to o , from register for n processes. Then, any wait- 
free implementation of consensus from {T, register} for n processes requires at least n — 1 
objects of type T ( regardless of how many registers it uses). 

Proof Suppose that the lemma is false, and there is a wait-free implementation J of 
consensus from {T, register} for n processes such that J requires only n — 2 objects of type 
T, initialized to states o 2 , . . . , <r„_ 2 of T, and m registers (for some m > 0). Consider the 
protocol V in Figure 7. Clearly, processes communicate exclusively via registers in protocol 
7>. We argue below that P solves the consensus problem for processes P\ , P 2 , . . . ,P n even 
if (at most) one of the processes may crash. By the impossibility result in [LAA87], such a 
protocol does not exist. Hence the lemma. 

We claim that at most (n - 2) processes block on O. This follows from the following 
facts: 

1. n — 2 base objects of O are 1-trap. So at most one process blocks on each of these. 

2. No process blocks on the remaining base objects of O, the registers R\,R 2 , . . . , R m - 

3. O is derived from a wait-free implementation. 
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1. For 1 < t < n - 2, use I Ci to implement an object 0, of type T initialized to state a,-. 

2. Use J to implement a consensus object O from 0 X ,0 2 ,. . ., 0 n -2 and registers 
Ru R21 • • •> R m • 

3. Let D be a 3- valued register initialized to _L. 

4. For 1 < i < n, let v, be the binary input value of process P, for consensus. Process P, 
executes the following procedure. We require that statements 1 and 2 are executed in 
a fair manner. 


cobegin 

1. D := Apply(Pi, propose v*, 0) 

2. repeat until ( D / -L). 
decide D 

coend 


Figure 7: 1- resilient consensus protocol V for n processes 


Therefore, if at most one of A,P 2 ,...,P„ crashes, there is still one process, call it 
Pt, that neither crashes nor blocks on O. This process Pk eventually writes the response, 
call it V , returned by Apply (Ft, propose v k , O) in register D. Since 0 satisfies validity, 
we have V € {v x ,v 2 , . . Since O satisfies agreement, no process ever writes a value 

different from V in register D. Since Statements 1 and 2 axe executed in a fair manner, 
every non-crashing process eventually reads V and decides V . In other words, V solves the 
consensus problem for Pi , P 2 , . . . , P„ even if at most a single process may crash. □ 


4.2.2 1-trap implementation of T Bp 

Recall that T gp has three states - Si, Si,, and Sr. We now present a 1-trap implementation 
of T gp initialized to S x , and 0-trap implementations of T. p initialized to S L or Sr. These 
implementations use only registers as base objects. Thus, by Lemma 4.3, we have the 
desired lower bound. 

A 1-trap implementation of T 8p , initialized to Sx, from register for n processes is 
presented in Figure 8. This implementation is subtle. We present below an informal and 
intuitive argument of its correctness before proceeding to give the formal proof. Consider 
O, a T 8p object derived from this implementation. Let H be a history of O, and let first-op 
denote the first operation to complete in H. There are two cases. Case (1) corresponds 
to first-op being an L-op operation. Consider the linearization S which includes only the 
complete operations in H and sequences them in the order of their completion times. Thus, 
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R[ 1 . . .n]: binary (1-writer, n- reader) registers initialized to 0 


Apply(Pj, L-op, O) 
return(I -first) 


Apply (Pi, R-op, O) 

1. if (Vfc : R[k]= 0) then 

2. R[i] := 1 

3. repeat until (3 j < i : R\j\— 1) 

4. Tet\nn(L-first) 


Figure 8: 1-trap implementation of T sp , initialized to S ±, from register 


first-op , which is an L-op operation, becomes the the first operation in S. Furthermore, 
the response of every operation in S is L- first (this is obvious from the implementation). 
From the sequential specification of T gp in Figure 5, it is obvious that S is legal from 
the state S x of T gp . Now consider Case (2), which corresponds to first-op being an R-op 
operation. The key observation is that if first-op, which is an R-op operation, completed in 
H , then by our implementation, there must be another R-op operation, call it blocked-op, 
from a different process which is concurrent with first-op and is blocked. Let us pretend 
that, although incomplete, blocked-op has indeed taken effect in H, and has R-first for its 
response. Consider the linearization S which sequences blocked-op first, first-op second, and 
the remaining complete operations in H in the order of their completion times, (blocked- 
op can be linearized before first-op since these two operations are concurrent.) Thus the 
first operation in the linearization 5 is a R-op operation with R-first as the associated 
response. The second operation in the linearization is also an R-op operation, and has 
L-first as the associated response. The remaining operations in the linearization have L- 
first as their response. From the sequential specification of T gp in Figure 5, it is obvious 
that this linearization S is legal from the state S x of T gp . Hence the correctness of our 
implementation. We formalize the above arguments and present a more rigorous proof of 
correctness below. The proof is based on a series of claims. 

Claim 4.1 The implementation is 1-trap. 

Proof Clearly, a correct process Pj blocks if and only if the repeat • • • until loop (Statement 
3 of Apply(Pj, R-op, O)) never terminates. By Statement 2, such a P, will have written the 
value 1 into P[t]. 

Suppose that the claim is false, and two correct processes Pj and Pj (assume j < i) block 
on O. It follows that P[t] = R[j] = 1 and each of Pi and Pj is caught in the repeat • • • until 
loop that never terminates. Process P, eventually notices that R[j] = 1, and since j < i, Pi 
quits the repeat ■ • • until loop, and returns L-first. This contradicts the assumption that Pj 
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blocks on O - 

The next claim asserts that if a process P, successfully completes an R-op operation 
on O, then a different process Pj is already blocked, unable to complete its R-op operation 
on O. 

Claim 4.2 Let E be an execution of {Pi,P 2 , . . .,P n \0), and H be the corresponding his- 
tory. Suppose that H contains the two events — an invocation e\ nv = tn«(P„ R-op, O) 
and its matching response e\ t3 = resp(P„ L-first, O). Then H contains an invocation 
e'p v = inv(Pj, R-op, O) such that 

1 . ej nv <h and 

2. ep v has no matching response in H . 

Proof The proof of this claim is based on the following observations: 

01. The predicate 3k : R[k]= 1 is stable: that is, if it holds in some configuration of an 
execution, it holds in every subsequent configuration of that execution. Furthermore, 
this predicate must hold before a response can occur to any invocation of R-op. 

The first part of this observation follows from the fact that once a 1 is written to a 
register, it is never changed. The second part is obvious from Statements 1 and 2 of 
the implementation. 

02. In H, let k be the smallest integer such that P k has an invocation e'£ v = inv(P k , 
R-op, O ) and P k writes a 1 in R[k). Then ej. nu has no matching response in H. 

To see this, notice that after writing a 1 in P[A], P k enters the repeat • • • until loop. 
This loop never terminates in H because of our premise that k is the smallest integer 
such that P k writes a 1 in R[k]. Thus P k does not return from Apply(P*, R-op, O). 

03. In H, if a process P k writes 1 in R[k] after an invocation e* fc n " = inv{P k , R-op, O) and 
before its matching response, then e'™ <jj ep 3 . 

Suppose not. Then ep 3 < // e'p v . After the invocation ep v , when P k executes State- 
ment 1 of the procedure Apply(Pjt, R-op, O), the guard V* : R[k]= 0 evaluates to 
false (by Ol). Thus P k returns the response L-first without writing into R[k]. This 
contradicts the premise that P k writes 1 into R[k] after the invocation e’ fe nv and before 
its response. 

To complete the proof of the claim, let S be the set of processes that invoke R-op on O 
and write 1 into a register in the execution E. Since H contains a response event ep 3 , by 
Ol, S is non-empty. Let j be the smallest integer such that Pj € S. By 02, Pj' s invocation 
e inv of R-op on O has no matching response in H. By 03, e'™ <jj e\ t3 . Hence the claim. 
□ 

Claim 4.3 Let E be an execution of (Pi, . . ., P n ; O), and H be the history of O in E. H 
is linearizable with respect to Tap, initialized to state S±. 
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Proof If H has no response events, then the claim is trivial: the empty sequence is a 
linearization of H and is legal from state S± of T sp - Assume, therefore, that H has one or 
more response events. Let ej cs = resp(Pi , L- first , O) be the earliest response in H . Let 
e\ nv be the invocation whose matching response is e* C3 , There are two cases: 

Case 1. e- nv = L-op, O ) 

This corresponds to the case in which the first operation to complete is an L-op 
operation from process P,. Define a sequential history S as follows: 

1. S includes all complete operations in H. 

2. If two operations op and op* are in 5, op <s op f if and only if response of op 
precedes the response of op* in R . 

It is obvious that (i) 5 is a linearization of J7, and (ii) S is legal from the state S± of 
Tsp. 

Case 2. e) nv = inv(P { , JZ-op, O ) 

This corresponds to the case in which the first operation to complete is an fZ-op from 
process By Claim 4.2, there is an invocation ej nu = inv(Pj, iZ-op, O) such that 
ej nv <H and ej nv has no matching response in H . Define a sequential history S 
as follows: 

1. S includes all complete operations in H , and the operation (e* nv ,eJ C5 ), where 
ey a = resp(Pj, R- first , O ). 

2. The operation (e’ n^, ,eJ c, ) precedes all other operations in 5. 

3. If op and op' are operations in S different from (ej nv ,ej cj ), op <s op f if and only 
if the response of op precedes the response of op 1 in H . 

It is easy to verify that (i) 5 is a linearization of H , and (ii) S is legal from the state 
S± of T sp . 

Hence the claim. D 

Lemma 4.4 Figure 8 presents a 1-trap implementation of T»p, initialized to Sj_, from 
register for processes Pi,P 2 , ■ ■ ■ , P n • 

Proof Follows from Claims 4.1 and 4.3. n 

Lemma 4.5 Figure 9 presents a 0-trap ( wait-free ) implementation of T S p, initialized to Sr, 
from register for processes Pi , P 2 , ...,P n - 

Proof Let E be an execution of (Pi, P 2 , . . . , P n ; O), and let Hr and Ho be the histories of 
objects R and O, respectively, in E. Let S r be a linearization of Hr, which is legal from 
the state 0 of register. For every operation op € Eft, define f(op) as follows: 
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R: binary register initialized to 0 


Apply(p, L-op, O ) 

if ( R = 0) then 
TetuTn(R-first) 
else Tetum(L-first) 


Apply(P„ R-op, O) 
R := 1 

return(L-^rs<) 


Figure 9: 0-trap implementation of T #p , initialized to Sr, from register 

if op = ( inv(Pi , read , R), resp(P{, 0, R)) then 
/(op) = (inv(Pi,L-op, O), resp(Pi, R-first, O)) 
else if op = (inv(P,, read, R), resp(Pi, 1, R)) then 
/(op) = ( inv(P{,L-op , O ), resp(Pi, L-first, O)) 
else if op = (inv(P{, write 1, R), resp(P, , ack, R)) then 
/(op) = (inv(Pi, R-op, O ), resp(Pi, L-first, O)) 

Define a sequential history £<9 35 follows: 

1. For every operation op £ Y,r, include /(op) in £< 9 - 

2. If op, op' € £/* and op <z R op', then /(op) <s 0 f(op'). 

It is easy to verify that £<9 is a linearization of Ho, and is legal from the state Sr of T #p . 

□ 

Lemma 4.6 Figure 10 presents a 0-trap (wait-/ree) implementation 0 / T sp , initialized to 
Sl, from register /or processes P\,P 2 ,..., P n . 

Proo/ Obvious. D 

Lemma 4.7 Any wait-/ree implementation 0 / consensus /rom {T sp , register} /or n pro- 
cesses requires at least n — 1 objects 0 / type T B p- 

Proo/ Follows from Lemma 4.3, and Claims 4.4, 4.5, and 4.6. E 

Corollary 4.2 h£(T Bp ) = 2. 

Proo/ By Lemma 4.2, h^(T Bp ) > 2. By Lemma 4.7, hj(T Bp ) < 2. Hence the result. □ 
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Apply(P,, L-op, O) 


Apply(Pj, R-op, O) 


Tct\ivn(L-first) 


TetuTn(L-first) 


Figure 10: 0-trap implementation of T 8p , initialized to Sl 


Theorem 4.1 hj is neither tight nor robust. 

Proof Follows from Proposition 3.6 and Corollaries 4.1 and 4.2. Q 

Theorem 4.2 hi is neither tight nor robust. 

Proof From the definitions of hi and hj , it is obvious that, for all types T, hi(!T) < hi(T). 
In particular, hi(T 8p ) < h£(T 8p ) = 2 < oo = h£(T 8p ). Thus, by Proposition 3.6, hi is 
neither tight nor robust. D 


5 On the robustness of h m 

The main result of this section is that h B is not robust. We prove this result by presenting 
an infinite family T^ d , Jfc € {2, 3, 4, . . .} U {oo}, of object types with the following properties: 

1. There is an implementation of consensus from {Tj^, register} for k processes, but 
not for k + 1 processes. 

2. There is no implementation of consensus from T^ d for two processes. 

Property (1) implies that h£(T£ d ) = k. Property (2) implies that h B (T* d ) = 1. Thus, 
ha, / hj, and by Proposition 3.6, h B is not robust. 1 2 * * * 6 This result is significant in the following 
sense. Registers by themselves are too weak to solve even 2-process consensus. So are 
objects. Combining these two types, however, lets us solve consensus among any number 
of processes! 

The object type T* d is specified in Figure 11. In this specification, choose(S) is assumed 
to choose an element from set S non-deterministically and return it. Notice that upset and 

aheat^i] are stable: once true, they remain true. Similarly, once decision € {0,1}, it does 
not change. 

6 A single member of the family is sufficient to establish that ha is not robust. The existence of an 
entire family shows that there is not even a coarsening of ha which is non-trivial and robust. 
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51. T* d supports operations in {op(t)|t = {0,1}} U {give-decision(i,6)|t € {0, 1},6 G 
{true, false}}. 

52. The response for op(0) or op(l) is always ack. The response for give-decision(-, -) 
is either 0 or 1. 

53. The state of T* d is represented by the variables no,ni,n y< i : integer; decision € 

{±,0,1}; ahead[0..1], upset : boolean. Informally, count the number of 

executions of op(0), op(l), and give-decision, respectively. The variable ahead[i] 
is set to true if > 0 and n r = 0 when give-decision(i, -) is executed. The 
variable upset is set to true if one of the following happens: (i) op(l) is executed 
more than once (op(0) may be executed any number of times without upsetting a T nd 
object); (ii) give-decision is executed more than k times; (iii) give-decision(t, — ) 
is executed with no prior execution of op(i); (iv) give-decision(t, true) is executed 
with no prior execution of op(t); (v) give-decision (i, false) is executed and ahead 
p) = true. If upset, a T* d object returns 0 or 1 non-deterministically to an invocation 
of give-decision. If not upset, it sets decision irrevocably and non-deterministically 
(if not already set) to 0 or 1 such that n deci , i<m > 0, and returns decision. See S5 
below for a formal sequential specification of T* d . 

54. The state of T* d corresponding to (no = n i — n gd = 0 ; decision = X; a/iead[0..1] = 
upset = false ) is known as the fresh state. The states of T^ d are only those that are 
reachable from the fresh state by the following specification. 

55. The sequential specification of T^ d is as follows: 

op(o r * e {o, i} */ 

m := n, + 1 

if ni > 1 then upset := true 
return(acAr) 

give-decision(t, other-is^ahead) j * i € {0, 1}, other-is- ahead: boolean */ 

Ug d I— Ug d 1 

if (n, > 0 A nj = 0) then aheac^i] := true 

if (n g d > k) V (n, = 0) V (a/ieadp) A -> other-is-ahead) V (nj- = 0 A other-is-ahead ) then 
upset true 
if upset then 

return(c/ioose({0, 1})) 
else if decision = L then 

decision := choose({j\nj > 0}) 
return(dectsion) 


Figure 11: Object type T^ d 
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5.1 consensus from {T* d , register} — an implementation 

In this section, we show, for k G {2, 3, . . .} U {oo}, how to implement a consensus object for 
k processes using only T* d objects and registers. Our implementation is recursive. Let I* 
denote the implementation of consensus from {T* d , register} for processes Pi, P 2 , • • •, Pn- 
The base case is to derive 1$, implementation of consensus for an empty set of processes, 
and is vacuous. The recursive step of deriving I* from i® presented in Figure 12. 

The implementation works as follows. Processes Pi — P n split into two groups, Go 
and G\. Group Go has P\ . . ■ P n -i 1 and group G\ has just P n . Processes Pi . ..P n - 1 do 
consensus among themselves (recursively) and announce the outcome in U[0]. Process P n 
announces its input value in P[l]. The rest of the protocol resolves which of the two groups 
is the winner. If Go wins, every process decides the value in Jt[0]. Similarly, if G 1 wins, 
every process decides the value in P[l]. The object O n j is used to determine the winner 
of the two groups. Processes Pi . . . P n _i perform the operation op(0) on O nc i- Then they 
set the register f?'[0] to inform process P n that op(0) has been executed on 0 n d- Process 
P n , on the other hand, performs op(l) on O n d , and then sets to inform processes in 
Go that op(l) has been executed. Processes then perform the give-decision operation. 

The return value determines the winning group. For this strategy to work correctly, the 
arguments of the give-decision operation must be such that the O n d object does not get 
upset. We urge the reader to understand how the registers £ f [0..1] are used to ensure that 
Ond does not get upset. Finally, if O n d returns v, a process assumes that the group G v won 
and decides the value in P[v]. 

Lemma 5.1 For 1 < n < k, the implementation I* in Figure 12 is a correct implementa- 
tion of consensus from {T* d , register) for processes P\,P 2 , • • • , Pn- 

Proof Sketch By induction. Assume that is correct. Let O n be a derived object 
of the implementation in Figure 12. Consider an execution E of the concurrent system 
(Pi,P 2 , . . . , P n ; O n ) in which every process P, has invoked Apply (P ,, propose v,, O n ) exactly 
once, and executed it to completion. The key claim is that O n d is not upset in E. This 
follows from the following simple observations: 

1. op(l) is executed only once. 

2. For v € {0, 1), op(u) is executed before executing give-decision(u, -). 

3. give-decision is executed no more than n times. Since n < k, give-decision is 
executed no more than k times. 

4. Suppose op(u) is ahead of op(t?). That is, the operations op(«) and then give-decision(t>, -) 
are completed before the first invocation of op(w). Then, the use of the registers 
P'[0..1] in the implementation guarantees that when a process invokes 
give-decision(t), other-ahead), the second parameter, namely, other-ahead, is true. 
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*rk 

base obj ects of the implementation Z„ 

O n - \ : consensus object for P \ , P2, • ■ ■ » Pn- 1 > derived from X„-i 
0 n d : Tjj d object, initialized to the fresh state 
P[0..1]: binary registers 

#'[0..l]: boolean registers, initialized to false 


local variables of process Pj 
d{, winner i € {0, 1} 
other-aheadi'. boolean 

Apply (-P,, propose v t , O n ) (for 1 < t < n - 1) 

1. di := Apply( P„, propose Vi,O n -i) 

2 . R[0] := di 

3. Apply(Pi, op(0), O n d) 

4. .R'[0] := true 

5. other-aheadi := P/[l] 

6 . winner := 

Apply(P), give-decision(0, other-aheadi ), O n d) 

7. return(iZ[u)tnneri]) 


Apply (Pn> propose v n , O n ) 

d n := v n 
P[i] := d n 

Apply(P„, op(l), Ond) 

.R'[l] := true 
other-aheadn := -R ; [0] 
winner n := 

Apply(P n , give-decision(l, other -ahead n ), O n d 
return(P[tn*nner„]) 


Figure 12: Implementing consensus from {T^ d , register} 


23 


5. Suppose no process completes the operation op(v) before some process invokes 

give-dacision(v, other-ahead). Then the use of the registers R [0..1] in the imple- 
mentation guarantees that the second parameter of give-decision, namely, 

other-ahead, is false. 

Since O n d is not upset in E, by the specification of Tjj d , we have: 

1. Every give-decision operation on 0 n d returns the same binary response. Let 
winner 6 {0, 1} denote this response. 

2. Some process Pj invokes op(uunner) before O n d returns winner for the first time to 
a give-decision operation. 

From the implementation, it is clear that Pj writes the value dj in R[winner] before invoking 
op(unnner). Furthermore, once a value is written by a process into a register f?[0] or i2[l], 
the value of that register never subsequently changes. For R[0], this follows from the 
agreement property of , and for J2[l], this follows from the fact that only P n writes 
il[l] and writes it only once. 

The above implies that for all i, Apply(P,, propose v,, O n ) returns dj. Thus, O n satisfies 
agreement. If j = n, then dj = d n = t>„, and thus, O n satisfies validity. If j / n, by the 
validity of O n - j, dj € {v x , v 2 , . 1}- Thus, O n satisfies validity. It is obvious that the 

implementation is wait-free. This concludes the proof of correctness of I* . D 

5.2 consensus from {T* d , register} — an impossibility result 

In this section, we prove that T* d objects and registers do not suffice to implement a 
consensus object for k + 1 processes. This impossibility result follows from a straight 
forward bivalency argument. The intuition behind why this impossibility result holds for 
Jt-f 1 processes, but not for k processes, is as follows. As we have seen, a T* d object supports 
two kinds of operations: op and give-decision. The operation op(t') does not return any 
useful information to the invoking process. This is due to the fact that the response of op(t') 
is always ack. The operation give-decision does return useful information, but only to 
the first k invocations of the operation. Thereafter, its response is non-deterministic and 
hence is not helpful. Thus, k processes may gain useful information from a T* d object, but 
k -(- 1 processes cannot. We now proceed to prove the impossibility result. 

Let T d be a deterministic object type whose specification is defined by replacing every 
expression of the form choosers ) in Figure 11 by min(S). 7 Thus, T d is a deterministic 
restriction of T^ d . Hence, if a history of an object is linearizable with respect to T d , then it 
is a fortiori linearizable with respect to T* d . We prove below that T d objects and registers 
do not suffice to implement a consensus object for k + 1 processes. This trivially implies 
that T* d objects and registers cannot implement a consensus object for k + 1 processes. 

7 min(S) is the minimum element in set S. 
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As mentioned, the proof uses a simple bi valency argument. Since bivalency arguments 
are standard, our definitions and the proof are informal. A configuration C of a concurrent 
system is v-valent (for v € {0,1}) if there is no execution from C in which v is decided 
by some process. In other words, once the system is in configuration C, no matter how 
processes are scheduled, no process decides V. A configuration is monovalent if it is either 
0-valent or 1-valent. A configuration is bivalent if it is not monovalent. If E is a finite 
execution of a system S started in configuration C , E(C) denotes the configuration of S at 
the end of the execution E. For the purposes of this section, a step of a process P consists 
of invoking an operation on an object 0, receiving the response from 0, and making an 
appropriate change in its state. 

Lemma 5.2 For all k € {2, 3, . . there is no implementation of consensus from {T*, register} 
for k + 1 processes. 

Proof Assume 1(0\, 0 2 , . . . , 0„) is an implementation of consensus from {T*, register} 
for processes P x , P 2 , . . . , P*+ 1 • Let O = I{0 1 , 0 2 , . . - , O n ). Consider the concurrent system 
S = (Pi, P 2 , • • • , Pk+i',0). Let Co be the initial configuration of S. Assume that in Co, each 
process P, is about to execute Apply(P,, propose v,, O). Furthermore, assume that there are 
l, m (1 < /, m < k + 1) such that v; = 0 and v m = 1. 

When Pi runs by itself from C 0 , the validity and wait-freedom of O require that P t 
decide vi = 0. Similarly, when P m runs by itself from Co, it decides v m = 0. Thus, Co is 
bivalent. Let E be an execution from Co such that (1) Ccr*« = E(Cq) is bivalent, and (2) 

For all Pi, if P, takes a step from Ccrit , the resulting configuration is monovalent. Let S v 
be the set of processes whose step from Ccrit results in a u-valent configuration. Since Ccrit 
is bivalent, neither So nor Si is empty. Furthermore, So fl Si = 0 and |SoU5i| = fc + l>3 
(since k > 2). Without loss of generality, assume that |Sb| > 2 and |5i| > 1. In particular, 
let So = {P?, P $, . . . , if } and Si = {P\,P], ■ • • , P}}, where r > 2 and s > 1. 

By a standard argument, the enabled step of every process in configuration Ccrit must 
be on the same base object O of O. Furthermore, again by a standard argument, O is not a 
register. Thus, the enabled step of every process in configuration Ccrit is on 0, an object of 
type t£. Let ^ and s\ denote the enabled steps of if and P/, respectively, in configuration 
Ccrit . Consider the following scenarios So and Si, each starting from the configuration Ccrit- 

• In Scenario So, if takes the step Sj - Then, Pj takes a step. Let Do be the resulting 
configuration. Clearly Do is a 0-valent configuration. 

• In Scenario Si, Pj takes the step sj. Then, if takes a step. Let D\ be the resulting 
configuration. Clearly Z?i is a 1-valent configuration. 

Processes if and P\ have to distinguish Scenario So from Scenario Si, since they must 
decide 0 in (every extension of) So, and decide 1 in (every extension of) Si. Observe that 
unless the operation applied by if (resp. Pj) in step s® (resp. s{) is a give-decision 
operation, it must eventually apply a give-decision operation on O in order to distinguish 
So from Si. Thus, we extend Scenarios So and Si as follows: 
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• If the operation applied by P 2 ° on O in step is not a give-decision operation, 
run P 2 (in both scenarios) exactly until PP completes a step in which it applies a 
give-decision operation on O. 

• If the operation applied by Pj on 0 in step s| is not a give-decision operation, 
run Pj (in both scenarios) exactly until P\ completes a step in which it applies a 
give-decision operation on 0. 

A process P G (Pi, ... , Pk+i} ~ {PP, if, Pi 1 } has to distinguish Scenario S 0 from Scenario 
Sj, since P must decide 0 in (every extension of) So, and decide 1 in (every extension of) Si. 
Observe, however, that P cannot distinguish So from Si until it applies a give-decision 
operation on O. Thus, we extend Scenarios So and Si as follows: 

• For each P € {Pi, • • • , P*+ 1 } - {P?, P? , P/}, run P (in both scenarios) exactly until 
P completes a step in which it applies a give-decision operation on 0. 

We make the following observations: (1) The process Pp is in the same state in Scenarios 
So and Si. (2) Every base object except O is in the same state in So and Si. (3) In both So 
and Si, a give-decision operation is applied on O at least k times (once by each process 
in {Pi,...,P*+i} - {if}, in the execution from The second observation, together 

with the specification of T d , implies that every subsequent give-decision operation on 0 
returns 0 in either scenario. Extend Scenarios So and Si by letting Jf run by itself. By the 
above observations, if cannot distinguish whether it is running in So or Si. Yet it must 
decide 0 in So and 1 in Si. This is impossible. Hence the lemma. □ 

Corollary 5.1 For all k 6 {2, 3, . . .} U {oo}, h£(T* d ) = k. 

Proof Follows from Lemmas 5.1 and 5.2. E 

5.3 h* is not robust 

In this section, we prove that h»(T* d ) = 1. Thus, h* is different from hj and, hence, is not 
robust. We begin with a simple technical lemma that will be useful in proving h»(T* d ) = 1. 
The lemma states that it is trivial to implement T* d , initialized to any state different from 
the fresh state. In the following, let o[v] denote the value of state variable v in state a. 

Lemma 5.3 Let o be any state of T* d different from the fresh state . Figure IS is an 
implementation of T* d , initialized to o } from 0. 8 

Proof If a is different from the fresh state, then it is easy to verify that 

(o[decision] € {0, 1}) V (a [n 0 ] > 0) V 0[m] > 0) V o[upset]. From this and the specification 

of Tj d , the correctness of the implementation is obvious. □. 

®Thus, the implementation requires no base objects, not even registers. 
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op(0 


give-decision(t, 6) 


return(adfc) rf a[decision] € {0, 1} then 

return(<r[dectston]) 
else if (< r[upset\ V o[no\ > 0) then 
return(O) 
else return(l) 


Figure 13: Implementing T* d , initialized to a non-fresh state a 


The following lemma states that it is impossible to implement a consensus object for 
two processes using just T* d objects. Intuitively, T* d objects are so weak that a process 
cannot use these objects to leave its “foot marks” behind. Thus, if a process Po runs first, 
and then a different process Pi runs, Pi does not realize that P 0 ran before it started. 
This can cause Pi to decide a value which is not consistent with the decision of Po. The 
proof below formalizes this argument. The details of the argument are subtle due to the 
non-determinism of the T* d objects. 

Lemma 5.4 For all A; € {2, 3, . . .} U {oo}, h*(T^ d ) = 1. 

Proof To prove this lemma, we must show that it is impossible to implement a consen- 
sus object for two processes using just Tj[ d objects. We show this by contradiction. Let 
l(0i,0 2 ,...,0 n ) be an implementation of consensus from T* d for processes P 0 and Pi, 
which is resource optimal: i.e., if X' is another implementation of consensus from T nd for 
two processes, then X' requires at least n base objects. From Lemma 5.3, it follows that 
every base object of I is initialized to the fresh state. 

Consider a derived consensus object O of the implementation X. Let 0\, O 2 , ■ • • , O n be 
the base objects of O. In other words, O = X(Oi , 0 2 , . . . , O n ). In the following, we present 
two scenarios, S 0 and Si, which are indistinguishable to Pi, but require Pi to take different 
actions. 

In Scenario S 0 , Po invokes Apply(P 0 , propose 0,0) and executes it to completion. (Exe- 
cution to completion is possible since I is a wait-free implementation.) Assume that during 
the execution of Apply (P 0 , propose 0, 0), every base object behaves like a T d object. That 
is, the history of each base object in the execution of Apply(P 0 , propose 0, 0) is linearizable 
with respect to T$. We will refer to this as Assumption Al. By the validity property of 
O, Apply ( P 0 , propose 0, 0) returns 0. Let S be the set of base objects which are in the 
fresh state in Scenario So at the completion of Apply(Po, propose 0,0). Continue Scenario 
S 0 , and begin Scenario Si, by letting Pi invoke Apply(Pi, propose 1,0) and run by itself in 
either scenario. (See Figure 14 for a depiction of Scenarios So and Si.) Assume that each 
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P\ executes 


Scenario So 


Pq executes 
Apply (Po, propose 0, 0) 


— 1 


Apply (Pi , propose 1, 0 ) 


Scenario Si 


Pi executes 
Apply(Pi , propose 1, O ) 


TIME 


Figure 14: Scenarios So and Si 


base object in S behaves deterministically, consistent with T*, in both scenarios. We will 
refer to this as Assumption A2. We prove the following statement inductively: the base 
objects in {0 X , 0 2 , . . . , O n } -S can choose among the non- deterministic alternatives (when 
applicable) such that for all i > 0, Pi cannot distinguish So from Si in i steps. The base 
case for t = 0 is trivial. To prove the induction step, assume the hypothesis for t < m. 

Consider the (to 4* 1)** step. Let oper be the operation that Pi performs in this step in 
Scenario So, and let O be the base object on which it performs oper . From the induction 
hypothesis and the fact that the implementation is deterministic, it follows that Pi performs 
oper on 0 in its (m + l) 5t step in Scenario Si too. 

Suppose oper e {op(0), op(l)}. Then, the response is ack in either scenario. Thus, So 
and Si remain indistinguishable to Pi after m + 1 steps. Hence the induction step. 

Suppose that oper is give-decision(-, -). We make a case analysis to prove the 
induction step. 

Case 0. O € S 

O is fresh in both S 0 and Si just before the invocation of Apply(Pi, propose 1, 0). 
For S 0 , this follows from the definition of S , and for Si, from the fact that every base 
object is initialized to the fresh state. By Assumption A2, O behaves deterministically 
(consistent with T$) in both scenarios. The above facts, together with induction 
hypothesis, guarantee that (i) O is in the same state in both scenarios at the end of 
m steps of Pi, and (ii) 0 returns the same response to oper in both scenarios. Thus, 
So and Si remain indistinguishable to Pi after m + 1 steps. Hence the induction step. 
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Case 1. Case 0 does not apply and the following holds: In at least one of So and Si, O is upset 
in the first m + 1 steps of Pi . 

Let Sj be a scenario in which 0 is upset in the first m + 1 steps of Pi. By the 
specification of T* d , O is free to return 0 or 1 to oper in Scenario Si. Suppose that O 
uses this freedom and returns the same response to oper in Si as it does in Sj. Then 
So and Si remain indistinguishable to P\ after m + 1 steps. Hence the induction step. 

Case 2. Neither Case 0 nor Case 1 applies. In other words, 0 is not fresh in So just before 
the invocation of Apply(P x , propose 1, 0) and, in both So and Si, 0 is not upset at 
the end of m + 1 steps of Pi . 

We prove the induction step by contradiction. Assume that it is not possible to keep 
Scenarios So and Si indistinguishable to P\ at the end of m + 1 steps. We will refer 
to this as Assumption A3. We arrive at a contradiction after a series of claims. Let 
<r* and af denote the state of O at the end of k steps of Pi in Scenarios So and Si 
respectively. 

Cl. <rf[n gd ] = 0. In other words, P x does not apply a give-decision operation on 
O in its first m steps. 

Suppose that the claim is false. Let k < m be the smallest integer such that 
a\[n g d] = 1. That is, give-decision is executed on 0 for the first time by 
P x in its 1 step in Scenario S x . Since 0 is not upset in Si, this implies 
that ^[decision] € {0,1}, and this value is returned by O in the k th step of 
Pi in Si. By inductive hypothesis, the same value ^[decision] is returned by 
O in the k th step of P x even in So- Since O is not upset in So, this implies 
that ^[decision] = o\[decision]. Since decision is irrevocable, it follows that 
of [decision] = ^[decision] = of[decision] = of [decision] € {0,1}. Since O is 
not upset in either scenario, the responses of [decision] and of [decision] of O to 
oper in Scenarios So and Si, respectively, are identical. Thus, So and Si remain 
indistinguishable to P\ after m + 1 steps. This contradicts Assumption A3. 

C2. There is a v € {0, 1} such that <rf[n v ] > 0 and = 0. In other words, P x 

executes op(v), but not op(u) in its first m steps in Si. 

Suppose cr^fno] = aj"[ni] = 0. Then, by the specification of l* d , when Pi applies 
oper = give-decision(— , — ) in the (m + l) jl step in Si, it upsets O. This 
contradicts the case we are considering. Suppose ^[no] > 0 and of[n\] > 0. 
Since <rf[n gd ] = 0 (by Cl), by the specification of T^ d , O is free to return either 
0 or 1 in Si. Suppose that 0 uses this freedom and returns the same response to 
oper in Si as it does in So- Then So and Si remain indistinguishable to Pi after 
m + 1 steps. This contradicts Assumption A3. 

C3. Pi executes op(t>) on O at least once in its first m steps in So- 
Follows from C2 and the induction hypothesis. 

C4. oper = give-deciBion(v, false). 

Suppose oper = give-decision(v, — ) or oper = give-decision(u, true). Since 
of[ni r] = 0 (by C2), O will be upset in Si when oper is invoked in the (m + 1)*‘ 
step. This contradicts the case we are considering. 
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C5. (ToMa/ieacffv]] = f a ^ se - 

Suppose <jg[ahead[v ]] = true. Then, when Pi executes oper = give-decision(u, false) 
(guaranteed by C4) in its (m + l) s * step in S 0 , it upsets O. This contradicts the 
case we are considering. 

C0. V = 1 implies al\n gd } = 0. In other words, if v = 1, then P 0 never executed a 
give-decision operation on O in So. 

Suppose v = 1 and P 0 executed give-decision(l, — ) on 0 in So- Since 0 
is not upset in So, it follows that P 0 executed op(l) on 0 before executing 
give-decision(l, — ). By C3 and the assumption that v = 1, P\ executed op(l) 
in So- Thus op(l) was executed at least twice on 0 in So- By the specification 
of T^, 0 would be upset in So- This contradicts the case we are considering. 

Suppose v = 1 and P 0 executed give-decision(0, -) on 0 in So- Since 0 
is not upset in S 0 , it follows that P 0 executed op(0) on 0 before executing 
give-decision(0, -). By C5 and the assumption that v = 1, <To*[ahead[0]] = 
false. This implies that Po executed op(l) on 0 before executing give-decision(0, -). 
By C3 and the assumption that v = 1, Pi executed op(l) in So- Thus op(l) was 
executed at least twice on 0 in So- By the specification of T nd , O would be upset 
in So- This contradicts the case we are considering. 

C7. v = 0. 

Suppose » = 1. Then, we can infer: (1) 0-j"[n a< i] = 0 (by Cl), (2) o™[n 9 d\ = 0 
(by Cl, induction hypothesis, and C6), (3) <^i*[ni] > 0 (by C2), (4) ^[ni] > 0 
(by C3). These four facts, together with the specification of T* d , imply that O 
is free to return 0 to oper in both So and Si- Suppose that O does this. Then 
So and Si remain indistinguishable to P\ after m + 1 steps. This contradicts 
Assumption A3. 

C8. O returns 0 to oper (in the (m + l) 4t step of Pi) in Scenario Sj. 

C2 and C6 imply that <rJ"[no] > 0 and <[” 1 ] = 0. Further, by the case we are 
considering, O is not upset in the first m + 1 steps of Pi in Scenario Sj. The 
above facts imply that the only legal value that O can return to oper is 0. 

C9. If Po executed give~decision(l, — ) on O (in So), it did so only after executing 
op(0) on 0. 

Suppose Po executed give-decision(l, — ) on O (in So). Since O is not upset in 
S 0 , this implies that P 0 executed op(l) on 0 before executing give-decision(l, -). 

If P 0 did not execute op(0) before executing give-decision(l, -), then the ex- 
ecution of give-decision(0, — ) would set uhe(i(f[l] to true. This, together with 
the fact that ahead[l ] is stable, implies that <Tj*[ahead[l]] = true. This contra- 
dicts the conjunction of C5 and C7. 

CIO. Every execution of the operation give-decision(— ,— ) on O by Po in Scenario 
So returns the response 0. 

Consider the earliest execution e of give-decision(ti), — ) on O by Po in So- If 
w = 1, C9 implies that Po executes op(0) before e. If w — 0, the fact that O is 
not upset in So implies that Pq executes op(0) before e. Thus, we conclude that 


30 


Pq executes op(0) before e. This, together with Assumption Al, implies that e 
returns 0. From this and the fact that O is not upset in So, it follows that every 
execution of givG“decision(— , — ) on 0 in So returns the response 0. 

Cll. Pq never executes give-decision(— , — ) on O (in So). 

Suppose that the claim is false. Then, from CIO and the fact that O is not upset 
in So, it follows that O returns 0 to oper in the (m+ 1)** step of Pi in Scenario 
So- Thus, by C8, So and Si remain indistinguishable to Pi after m + 1 steps. 
This contradicts Assumption A3. 

We have: (1) cr^no] > 0. This follows from C3 and C7. (2) OcT[n 0 ] > 0. This follows 
from (1) and induction hypothesis. (3) Oq l [n 5 j] = 0. This follows from Cl, induction 
hypothesis, and Cll. From (2), (3), and the specification of T^j, it is clear that O is 
free to return 0 to oper (in the ( m + 1) J< step of Pi) in Scenario S 0 . Suppose that it 
does. Then, by C8, So and Si remain indistinguishable to Pi after m + 1 steps. This 
contradicts Assumption A3. Hence the induction step. 

This completes the proof of the induction step. 

Since J is a wait-free implementation, Apply(Pi, propose 1,0) terminates in So after a 
finite number of steps, returning some value val € (0, 1}. Since Si is indistinguishable to 
p 1 from S 0 , Apply (Pi , propose 1,0) terminates in Si after the same number of steps, also 
returning val. If val = 0, validity of consensus is violated in Si. If val = 1, agreement of 
consensus is violated in So- Thus, X is not a correct implementation, a contradiction. O 

Theorem 5.1 h B is neither tight nor robust. 

Proof Follows from Proposition 3.6, Corollary 5.1, and Lemma 5.4. d 


6 Conclusion 

It is well known that shared primitives, depending on their type, vary widely in their ability 
to support inter-process synchronization. Recent research focussed on analyzing the power 
of individual primitives. In this paper, we ask whether, from our understanding of the power 
of the individual primitives, we can infer the power of a set of primitives. For instance, is it 
impossible to implement a universal primitive from non-universal primitives? The answer 
is not clear. It is conceivable that clever protocols for such implementations exist. Besides 
being of theoretical interest, these issues have implications to multi- processor architectures. 
To make a systematic study of these issues possible, we define the property of robustness for 
wait-free hierarchies. Contrary to popular belief, we show that Herlihy’s wait-free hierarchy 
is not robust. We also show that some natural variants of Herlihy’s hierarchy are also not 
robust. This raises the obvious question of whether there is a non-trivial robust wait-free 
hierarchy at all. We do not know the answer yet. However, we observe that such a hierarchy, 
if it exists, is either or some coarsening of it. Thus, further research on the structure 
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of hj is essential to resolving this open question. As explained in the paper, the answer 
to this question, regardless of whether it is affirmative or negative, has useful implications. 
We close with the conjecture that hj is not robust. 
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